Resources Whitepapers How Lazarus Group is Weaponizing Open Source | Sonatype How North Korea-Backed Lazarus Group is Weaponizing Open Source to Target Developers Nation-state cyber actors are now infiltrating the software supply chain — not by bypassing it, but by becoming part of it. Download the Report Sonatype’s latest whitepaper delivers an in-depth analysis of a rapidly escalating campaign by the North Korea-backed Lazarus Group. In just the first half of 2025, Sonatype's automated threat detection uncovered 234 unique malware packages embedded in open source registries — all attributed to Lazarus and targeting software engineers, CI/CD pipelines, and developer environments. This campaign is not opportunistic. It is strategic. The Lazarus Group is actively abusing developer trust and exploiting package ecosystems like npm and PyPI to distribute multi-stage malware that steals credentials, exfiltrates sensitive data, and enables long-term access to critical infrastructure. Download This Report to Learn: The exact tactics, techniques, and procedures (TTPs) used by Lazarus to impersonate trusted packages How a single npm package can deploy clipboard stealers, credential harvesters, file stealers, and Windows keyloggers — all in parallel Why Lazarus is exfiltrating secrets rather than mining crypto — and what that says about their evolving goals The broader strategic shift that makes developers a primary target in nation-state campaigns Four key recommendations to protect your SDLC and development teams from future supply chain attacks Download your copy of the report today Download Now